自己慢慢写的PeTool，有点乱，但是函数功能和参数注释应该还挺全的吧？

#include "stdafx.h"
#include "pe.h"
#include <stdlib.h>
#include "stdafx.h"
#include <iostream>
#include <iomanip>
#include <fstream>
#include <string>
#include <windows.h>
#include <malloc.h>

using namespace std;
#define MessageBox_Add 0x74D61E80

//功能：通过文件路径获得文件指针，并返回其指针地址
//参数：一个指针类型的返回的pFileBuffer指针地址
int Return_FileBuffer_File_sizeAndpFileBuffer(OUT LPVOID* pFileBuffer, IN char* FilePath)
{

FILE* File = ReadFile(FilePath, "rb");
int File_size = compute_file_len(File);
*pFileBuffer = File_to_FileBuffer(File_size, File);
fclose(File);
return File_size;
}

 

//功能:打印PE信息
void Print_Pe(IN char* FilePath)
{
FILE* File_Address;
File_Address = ReadFile(FilePath, "rb");
int file_size = compute_file_len(File_Address);
char* FileBuffer = (char*)File_to_FileBuffer(file_size, File_Address);
Read_Pe_info(FileBuffer);
}

//读取文件，并返回文件流
//参数1：文件路径
//参数2：读取类型
FILE* ReadFile(LPSTR FilePath, char* Type)

{
FILE* FileAddress;//定义文件流
if (!(FileAddress = fopen(FilePath, Type)))
{
printf("没有读取文件失败，错误01");
fclose(FileAddress);
return 0;
}
return FileAddress;
}

//获得读取的文件流大小，返回文件流大小
//参数：文件流地址
int SizeOfFile(FILE* FileAddress)
{
int size;
//定位到文件末尾
fseek(FileAddress, NULL, SEEK_END);
//得到大小
size = ftell(FileAddress);
//重定位文件头到最开始的位置
fseek(FileAddress, NULL, SEEK_SET);
return size;
}


//申请动态内存，从文件流读取数据，并返回动态内存的文件指针
//参数1：文件流大小,字节
//参数2:文件流指针
//返回值：动态内存的文件指针
LPVOID File_to_FileBuffer(int size, FILE* FileAddress)
{
if (!size)
{
printf("没有获得需要申请的内存大小");
fclose(FileAddress);
return 0;
}
LPVOID MalcMem = NULL;
MalcMem = (char*)malloc(size);
memset(MalcMem, 0, size);
fread(MalcMem, 1, size, FileAddress);
return MalcMem;
}


//把文件数据写内存中
//参数1：文件流地址，
//参数2：申请的Filebuffer动态内存地址，
//参数3：Filebuffer大小
LPVOID ReadFileMem(FILE* File_address, LPVOID pFilebuffer, int pFilebuffer_size)
{
if (!(fread(pFilebuffer, 1, pFilebuffer_size, File_address)))
{
printf("错误，请查看代码1000");
return 0;
}
return pFilebuffer;
}

//动态分配内存，并刷新分配的内存空间
//参数1：文件大小
char* Malloc(int buffer_size)
{
char* buffer_address = (char*)malloc(buffer_size);
if (!buffer_address)
{
printf("内存分配失败，检查代码1001");
return 0;
}
memset(buffer_address, 0, buffer_size);
return buffer_address;
}


//读取Filebuffer的信息，并打印出来
//参数1：buffer地址
void Read_Pe_info(IN LPVOID buffer_address)
{

PIMAGE_DOS_HEADER pDosHeader = NULL;
PIMAGE_NT_HEADERS pNTHeader = NULL;
PIMAGE_FILE_HEADER pPEHeader = NULL;
PIMAGE_OPTIONAL_HEADER32 pOptionHeader = NULL;
PIMAGE_SECTION_HEADER pSectionHeader = NULL;

pDosHeader = (PIMAGE_DOS_HEADER)buffer_address;
// 获取PE头部偏移
if (*((PDWORD)((DWORD)pDosHeader + pDosHeader->e_lfanew)) != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志!\n");
free(buffer_address);

}
printf("pDosHeader:%x\n", pDosHeader->e_magic);
pNTHeader = PIMAGE_NT_HEADERS((DWORD)pDosHeader + pDosHeader->e_lfanew);
printf("=====================开始查找NT头中信息=============================\n\n");
printf("pNTHeader:%08x\n", pNTHeader->Signature);

//强制类型转化，指向标准PE头
pPEHeader = PIMAGE_FILE_HEADER((DWORD)pNTHeader + 4);
printf("=====================开始查找标准PE头中信息=========================\n");
printf("pPEHeader:%x\n", pPEHeader->Machine);
printf("节的数量:%d\n", pPEHeader->NumberOfSections);
printf("SizeOfOptionalHeader(可选PE头的大小)：%x\n", pPEHeader->SizeOfOptionalHeader);
int NumberOfSections = pPEHeader->NumberOfSections;

// 强制类型转换，指向可选PE头
pOptionHeader = PIMAGE_OPTIONAL_HEADER32((DWORD)pPEHeader + IMAGE_SIZEOF_FILE_HEADER);
printf("====================开始查找可选PE头中信息==========================\n");
printf("SizeOfImage:%x\n", pOptionHeader->SizeOfImage);
printf("SizeOfHeaders:%x\n", pOptionHeader->SizeOfHeaders);
printf("SectionAlignment:%x\n", pOptionHeader->SectionAlignment);
DWORD SizeOfHeaders = pOptionHeader->SizeOfHeaders;
DWORD SizeOfImage = pOptionHeader->SizeOfImage;
DWORD SectionAlignment = pOptionHeader->SectionAlignment;
// 强制类型转换，指向节表中的信息
printf("====================查找到节表中信息%d个==========================\n", pPEHeader->NumberOfSections);
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionHeader + pPEHeader->SizeOfOptionalHeader);

for (int i = 0; i<NumberOfSections; i++, pSectionHeader++)
{
printf("Section_Name:%s\n", pSectionHeader->Name);
printf("VirtualAddress:%08X\n", pSectionHeader->VirtualAddress);
printf("SizeOfRawData:%08X\n", pSectionHeader->SizeOfRawData);
printf("PointerToRawData:%08X\n", pSectionHeader->PointerToRawData);
printf("==============================================\n");
//info_Address[i] = pSectionHeader->VirtualAddress;
//info_RawData[i] = pSectionHeader->SizeOfRawData;
//info_PointerToRawData[i] = pSectionHeader->PointerToRawData;
}
printf("打印PE信息结束！！\n");

 

}

 

//FileBuffer拉伸到Imagebuffer
//参数1：FileBuffer指针
void FileBufferToImagebuffer(IN LPVOID* pFileBuffer, OUT LPVOID* pImagebuffer)
{
LPVOID pTempImageBuffer = NULL;
if (!pFileBuffer)
{
printf("没有获取到FileBuffer指针，请检查代码");

}

PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)*pFileBuffer;
if (*(PWORD)pDos != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志，请检查代码或者是否为EXE程序");

}
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)((DWORD)pDos + pDos->e_lfanew);
if (*(PWORD)pNt != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志，请检查代码或者是否为EXE程序");

}
PIMAGE_FILE_HEADER pFile = (PIMAGE_FILE_HEADER)((DWORD)pNt + 4);
PIMAGE_OPTIONAL_HEADER pOption = (PIMAGE_OPTIONAL_HEADER)((DWORD)pFile + IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_SECTION_HEADER pSetion = (PIMAGE_SECTION_HEADER)((DWORD)pOption + pFile->SizeOfOptionalHeader);

//将sizeofimage的值扩展为SectionAlignment的整数倍（在内存中一般是0x1000的整数倍）
int Sizeofimage_Alignment = pOption->SizeOfImage;
int iTemp = pOption->SizeOfImage % pOption->SectionAlignment;

if (iTemp != 0)
{
Sizeofimage_Alignment = pOption->SizeOfImage + pOption->SectionAlignment - iTemp;
pOption->SizeOfImage = (DWORD)Sizeofimage_Alignment;
}


//申请动态内存
pTempImageBuffer = (LPVOID)malloc(Sizeofimage_Alignment);
//刷新内存
memset(pTempImageBuffer, 0, pOption->SizeOfImage);
//复制头到动态内存
if (!pTempImageBuffer)
{
printf("内存分配失败,代码0009");
}
memcpy(pTempImageBuffer, *pFileBuffer, pOption->SizeOfHeaders);
//复制节表
int CountSection = pFile->NumberOfSections;
for (int i = 0; i < CountSection; i++, pSetion++)
{
memcpy((LPVOID)((DWORD)pTempImageBuffer + pSetion->VirtualAddress), (LPVOID)((DWORD)pDos + pSetion->PointerToRawData), pSetion->SizeOfRawData);
}
*pImagebuffer = pTempImageBuffer;

}

 

//保存内存缓存为文件
//参数1：pNewFileBuffer指针
//参数2：缓存大小
//参数3：文件保存路径,建议使用#define 进行定义，例如：#define NewFilePath "D:\\XXXXX.exe";
void Save_pNewFileBufferTo_EXE(IN LPVOID* pNewFileBuffer, IN char* NewFilePath, int pFileSize)
{

FILE* Save_file = fopen(NewFilePath, "wb+");
fwrite(*pNewFileBuffer, pFileSize, 1, Save_file);
if (!Save_file)
{
printf("拷贝失败了，错误代码22\n");
fclose(Save_file);
return;
}
fclose(Save_file);
return;
}

 

//功能：在代码节空白区添加代码
//参数1：一个指针类型的pImgeBuffer指针地址
//参数2：一个指针类型的pNewImageBuffer指针地址（添加代码后的内存映像）
//参数3,：返回被插入代码后的sizeofimage大小
void CodeSection_InsertCode(IN LPVOID* pImageBuffer, OUT LPVOID* pNewImageBuffer, DWORD* SizeOfImage)
{
char ShellCode[] =
{
0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00,//MessgeBoxA(0,0,0,0) 四个参数，在堆中压如堆栈，
0xE8, 0x00, 0x00, 0x00, 0x00,//E8 就是call
0xE9, 0x00, 0x00, 0x00, 0x00 //E9 就是JMP
};

PIMAGE_DOS_HEADER pNewDos = (PIMAGE_DOS_HEADER)*pImageBuffer;
PIMAGE_NT_HEADERS pNewNt = (PIMAGE_NT_HEADERS)((DWORD)pNewDos + (DWORD)(pNewDos->e_lfanew));
PIMAGE_FILE_HEADER pNewFile = (PIMAGE_FILE_HEADER)((DWORD)pNewNt + 4);
PIMAGE_OPTIONAL_HEADER pNewOptional = (PIMAGE_OPTIONAL_HEADER)((DWORD)pNewFile + IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_SECTION_HEADER pNewSection = (PIMAGE_SECTION_HEADER)((DWORD)pNewOptional + pNewFile->SizeOfOptionalHeader);

if (!(pNewSection->SizeOfRawData - pNewSection->Misc.VirtualSize > 18))
{
printf("第一个节区内存空间不够，请查看SizeOfRawData和Misc.VirtualSize");
free(*pImageBuffer);
}

//计算从第一节的哪个位置开始添加代码
DWORD ImageBase_ = pNewOptional->ImageBase;
char* InsertCode_Pos = (char*)(DWORD)*pImageBuffer + pNewSection->VirtualAddress + pNewSection->Misc.VirtualSize;
//把ShellCode复制到InsertCode_Pos
memcpy(InsertCode_Pos, ShellCode, sizeof(ShellCode));
int E8_Code = MessageBox_Add - (DWORD)(ImageBase_ + ((DWORD)InsertCode_Pos + 0xd - (DWORD)*pImageBuffer));
*(PDWORD)(InsertCode_Pos + 0x9) = E8_Code;
int E9_Code = (ImageBase_ + pNewOptional->AddressOfEntryPoint) - (DWORD)(ImageBase_ + ((DWORD)InsertCode_Pos + 0x12 - (DWORD)*pImageBuffer));
*(PDWORD)(InsertCode_Pos + 0xe) = E9_Code;

pNewOptional->AddressOfEntryPoint = (DWORD)InsertCode_Pos - (DWORD)*pImageBuffer;//重新定位程序入口处

//pNewOptional->SizeOfImage = pNewOptional->SizeOfImage + sizeof(ShellCode);//把Shellcode代码大小添加进SizeofImage
//*SizeOfImage = pNewOptional->SizeOfImage;
//申请一块动态内存，大小为加了18个字节后的sizeofimage
*pNewImageBuffer = malloc(pNewOptional->SizeOfImage);
//把pImageBuffer复制到pNewImagebuffer

int Sizeofimage_Alignment = pNewOptional->SizeOfImage;
int iTemp = pNewOptional->SizeOfImage % pNewOptional->SectionAlignment;

if (iTemp != 0)
{
Sizeofimage_Alignment = pNewOptional->SizeOfImage + pNewOptional->SectionAlignment - iTemp;
pNewOptional->SizeOfImage = Sizeofimage_Alignment;
}

memcpy(*pNewImageBuffer, *pImageBuffer, pNewOptional->SizeOfImage);
*SizeOfImage = pNewOptional->SizeOfImage;

}

 

//ImageBuffer压缩到FileBuffer
//参数1：ImageBuffer指针
//参数2：pNewFileBuffer指针
void ImageBufferToFileBuffer(IN LPVOID* pImageBuffer, IN LPVOID* TempFileBuffer2, OUT LPVOID* pNewFileBuffer)
{
if (!TempFileBuffer2)
{
printf("临时指针TempFileBuffer没有被分配地址");
}
if (!*pImageBuffer)
{
printf("没有获取到FileBuffer指针，请检查代码");

}

PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)*pImageBuffer;
if (*(PWORD)pDos != IMAGE_DOS_SIGNATURE)
{
printf("不是有效的MZ标志，请检查代码或者是否为EXE程序");

}
PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)((DWORD)pDos + pDos->e_lfanew);
if (*(PWORD)pNt != IMAGE_NT_SIGNATURE)
{
printf("不是有效的PE标志，请检查代码或者是否为EXE程序");

}
PIMAGE_FILE_HEADER pFile = (PIMAGE_FILE_HEADER)((DWORD)pNt + 4);
PIMAGE_OPTIONAL_HEADER pOption = (PIMAGE_OPTIONAL_HEADER)((DWORD)pFile + IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_SECTION_HEADER pSetion = (PIMAGE_SECTION_HEADER)((DWORD)pOption + pFile->SizeOfOptionalHeader);

//将sizeofimage的值扩展为SectionAlignment的整数倍（在内存中一般是0x1000的整数倍）
int Sizeofimage_Alignment = pOption->SizeOfImage;
int iTemp = pOption->SizeOfImage % pOption->SectionAlignment;

if (iTemp != 0)
{
Sizeofimage_Alignment = pOption->SizeOfImage + pOption->SectionAlignment - iTemp;
pOption->SizeOfImage = Sizeofimage_Alignment;
}


//申请动态内存
*TempFileBuffer2 = malloc(pOption->SizeOfImage);///////这里有问题，应该是前面的程序出现了内存越界访问造成的。

//刷新内存
memset(*TempFileBuffer2, 0, pOption->SizeOfImage);
//复制头到动态内存
if (!*TempFileBuffer2)
{
printf("内存分配失败,代码0009");
}
memcpy(*TempFileBuffer2, *pImageBuffer, pOption->SizeOfHeaders);
//复制节表
int CountSection = pFile->NumberOfSections;

for (int i = 0; i < CountSection; i++, pSetion++)
{
memcpy((LPVOID)((DWORD)*TempFileBuffer2 + pSetion->PointerToRawData), (LPVOID)((DWORD)pDos + pSetion->VirtualAddress), pSetion->SizeOfRawData);
}
*pNewFileBuffer = *TempFileBuffer2;
//free(*TempFileBuffer2);
}


//计算文件大小
//参数：文件指针
//int返回值：文件大小
int compute_file_len(FILE* pfile)
{
int len = 0;
fseek(pfile, 0, SEEK_END);
len = ftell(pfile);
fseek(pfile, 0, SEEK_SET);
return len;
}

 


//功能：给ImageBuffer新增节
//参数1：传入拉伸后的ImageBuffer指针地址
//参数2：传入添加节后的ImageBuffer指针地址
//该函数没有返回值
void Add_Seciton(IN LPVOID* ImageBuffer, OUT int* pFileSize)
{
//众头归位
PIMAGE_DOS_HEADER Temp_dos = (PIMAGE_DOS_HEADER)*ImageBuffer;
PIMAGE_NT_HEADERS Temp_nt = (PIMAGE_NT_HEADERS)((DWORD)Temp_dos + (DWORD)Temp_dos->e_lfanew);
PIMAGE_FILE_HEADER Temp_file = (PIMAGE_FILE_HEADER)((DWORD)Temp_nt + 4);
PIMAGE_OPTIONAL_HEADER Temp_option = PIMAGE_OPTIONAL_HEADER((DWORD)Temp_file + IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_SECTION_HEADER Temp_sec = PIMAGE_SECTION_HEADER((DWORD)Temp_option + Temp_file->SizeOfOptionalHeader);

//判断SizeofHeader够不够插入一个节表目录，以及够不够一个空白区，这两个一共80个字节。
if (((DWORD)Temp_dos + (DWORD)Temp_option->SizeOfHeaders) - ((DWORD)Temp_dos + ((DWORD)Temp_sec + Temp_file->NumberOfSections * 40)) < 80)
{
printf("这个程序的SizeofHeader不够，无法插入新的节表目录");
free(*ImageBuffer);
return;
}

printf("%c%c%c%c", Temp_sec->Name[0], Temp_sec->Name[1], Temp_sec->Name[2], Temp_sec->Name[3], Temp_sec->Name[4]);
//拿到最后节表的最后位置
PIMAGE_SECTION_HEADER temp_sec_endPos = (PIMAGE_SECTION_HEADER)((DWORD)Temp_sec + Temp_file->NumberOfSections * 40);
//复制最后一个节表到temp_sec_endPos
memcpy(temp_sec_endPos,
(PIMAGE_SECTION_HEADER)((DWORD)Temp_sec +
(Temp_file->NumberOfSections - 1) * 40),
40);
//将新的最后一个节表temp_sec_end后的40个字节刷新为0
memset((temp_sec_endPos + 1), 0, 40);
//修改最后一个表的名字
temp_sec_endPos->Name[0] = 'P'; temp_sec_endPos->Name[1] = 'K';
//修改新增节表在内存中的开始地址
temp_sec_endPos->VirtualAddress = temp_sec_endPos->VirtualAddress +
(temp_sec_endPos->SizeOfRawData > temp_sec_endPos->Misc.VirtualSize ? temp_sec_endPos->SizeOfRawData : temp_sec_endPos->Misc.VirtualSize);
//修改新增节表在文件中的开始地址
temp_sec_endPos->PointerToRawData = temp_sec_endPos->PointerToRawData +
(temp_sec_endPos->SizeOfRawData > temp_sec_endPos->Misc.VirtualSize ? temp_sec_endPos->SizeOfRawData : temp_sec_endPos->Misc.VirtualSize);
//修改在文件中的大小
temp_sec_endPos->SizeOfRawData = 0x1000;
//修改在内存中的大小
temp_sec_endPos->Misc.VirtualSize = 0x1000;

//修改节表属性为可读可写可执行，这里我没写

//修改节表数量
Temp_file->NumberOfSections += 1;

//扩大sizeofimage
Temp_option->SizeOfImage += 0x1000;

*pFileSize = Temp_option->SizeOfImage;

}

//功能：扩大最后一个节
//参数1：拉伸后的ImageBuffer
//参数2：需要把最后一个节扩大多少
//参数3：扩大后的NewImageBuffer
//参数4：传出扩大后的SizeofImage
void Expand_Section(IN PVOID* ImageBuffer, DWORD Add_Byte, OUT PVOID* NewImageBuffer, OUT int* Sizeofimage)
{
//众头归位
PIMAGE_DOS_HEADER Temp_dos = (PIMAGE_DOS_HEADER)*ImageBuffer;
PIMAGE_NT_HEADERS Temp_nt = (PIMAGE_NT_HEADERS)((DWORD)Temp_dos + (DWORD)Temp_dos->e_lfanew);
PIMAGE_FILE_HEADER Temp_file = (PIMAGE_FILE_HEADER)((DWORD)Temp_nt + 4);
PIMAGE_OPTIONAL_HEADER Temp_option = PIMAGE_OPTIONAL_HEADER((DWORD)Temp_file + IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_SECTION_HEADER Temp_sec = PIMAGE_SECTION_HEADER((DWORD)Temp_option + Temp_file->SizeOfOptionalHeader);

//拿到节数量
int Section_num = Temp_file->NumberOfSections;
////拿到最后一个节的位置
PIMAGE_SECTION_HEADER End_Sec = Temp_sec + (Section_num - 1);
//拿到扩大后的大小 ADD_Byte为添加的大小字节
DWORD Final_SecSize = Add_Byte + (End_Sec->SizeOfRawData > End_Sec->Misc.VirtualSize ? End_Sec->SizeOfRawData : End_Sec->Misc.VirtualSize);
//调整节大小
End_Sec->Misc.VirtualSize = Final_SecSize;
End_Sec->SizeOfRawData = Final_SecSize;
//改SizeofImage
Temp_option->SizeOfImage += Add_Byte;
*Sizeofimage = Temp_option->SizeOfImage;

*NewImageBuffer = *ImageBuffer;
}

//功能：把所有节合并为一个节
//参数1：拉伸后的ImageBuffer
//参数2：传出合并后的ImageBuffer
void Comb_Section(IN LPVOID* ImageBuffer, OUT LPVOID* NewImageBuffer, OUT int* SizeofImage)
{
//众头归位
PIMAGE_DOS_HEADER Temp_dos = (PIMAGE_DOS_HEADER)*ImageBuffer;
PIMAGE_NT_HEADERS Temp_nt = (PIMAGE_NT_HEADERS)((DWORD)Temp_dos + (DWORD)Temp_dos->e_lfanew);
PIMAGE_FILE_HEADER Temp_file = (PIMAGE_FILE_HEADER)((DWORD)Temp_nt + 4);
PIMAGE_OPTIONAL_HEADER Temp_option = PIMAGE_OPTIONAL_HEADER((DWORD)Temp_file + IMAGE_SIZEOF_FILE_HEADER);
PIMAGE_SECTION_HEADER Temp_sec = PIMAGE_SECTION_HEADER((DWORD)Temp_option + Temp_file->SizeOfOptionalHeader);

//得到所有节的总大小
DWORD All_Section = Temp_option->SizeOfImage - Temp_sec->VirtualAddress;
//改变第一个节在文件中和内存中的总大小
Temp_sec->Misc.VirtualSize = All_Section;
Temp_sec->SizeOfRawData = All_Section;


//把节的属性全部组合**********这里比较重要********************这里比较重要********************这里比较重要**********
DWORD numSection = 1;
while (numSection <= Temp_file->NumberOfSections)
{
//属性修改为每个节表的属性组合 **********这里比较重要**********
Temp_sec->Characteristics |= (Temp_sec + numSection)->Characteristics;
//void ZeroMemory( PVOID Destination,SIZE_T Length );
// Destination :指向一块准备用0来填充的内存区域的开始地址。,Length :准备用0来填充的内存区域的大小，按字节来计算。
ZeroMemory((char*)Temp_sec + sizeof(IMAGE_SECTION_HEADER)*numSection, sizeof(IMAGE_SECTION_HEADER));
numSection++;
}
//改节的个数
Temp_file->NumberOfSections = 1;
*SizeofImage = Temp_option->SizeOfImage;
*NewImageBuffer = *ImageBuffer;
}

//功能：打印出所有数据目录表的地址和大小
//参数：ImageBuffer地址
void PrintDirectory(PVOID* ImageBuffer)
{
//众头归位
PIMAGE_DOS_HEADER Temp_dos = (PIMAGE_DOS_HEADER)*ImageBuffer;
PIMAGE_NT_HEADERS Temp_nt = (PIMAGE_NT_HEADERS)((DWORD)Temp_dos + (DWORD)Temp_dos->e_lfanew);
PIMAGE_FILE_HEADER Temp_file = (PIMAGE_FILE_HEADER)((DWORD)Temp_nt + 4);
PIMAGE_OPTIONAL_HEADER Temp_option = PIMAGE_OPTIONAL_HEADER((DWORD)Temp_file + IMAGE_SIZEOF_FILE_HEADER);
//PIMAGE_SECTION_HEADER Temp_sec = PIMAGE_SECTION_HEADER((DWORD)Temp_option + Temp_file->SizeOfOptionalHeader);

PIMAGE_DATA_DIRECTORY pDir;
pDir = (PIMAGE_DATA_DIRECTORY)(&Temp_option->NumberOfRvaAndSizes + 1);
//这里为什么要用&Temp_option->NumberOfRvaAndSizes呢？ 
//因为要找得是Temp_option->NumberOfRvaAndSizes的地址，然后加上一个该地址的长度就等于PIMAGE_DATA_DIRECTORY（数据目录表的地址了）
for (int i = 0; i < 16; i++, pDir++)
{
printf("======第%d个数据目录表=====：\n 0x%08x\n 0x%08x\n", i + 1, pDir->VirtualAddress, pDir->Size);
//printf("0x%08x\n",pDir->VirtualAddress);
}
getchar();

}

//功能：Rva转Foa
//参数1：FileBuffer
//参数2：dwRva,需要转换的Rva地址

DWORD RvaToFileOffset(IN LPVOID pFileBuffer, IN DWORD dwRva)
{
//定义文件头
PIMAGE_DOS_HEADER dosHeader = NULL; //dos头指针
PIMAGE_NT_HEADERS ntHeader = NULL; //nt头指针
PIMAGE_FILE_HEADER peHeader = NULL; //pe头指针
PIMAGE_OPTIONAL_HEADER32 opHeader = NULL; //可选pe头指针
PIMAGE_SECTION_HEADER sectionHeader = NULL; //节表指针

//找到文件头
dosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
ntHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + dosHeader->e_lfanew);
peHeader = (PIMAGE_FILE_HEADER)((DWORD)ntHeader + 4);
opHeader = (PIMAGE_OPTIONAL_HEADER32)((DWORD)peHeader + IMAGE_SIZEOF_FILE_HEADER);
sectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)opHeader + peHeader->SizeOfOptionalHeader);

//1.判断是哪个节
int sec = -1;
for (int i = 0; i<peHeader->NumberOfSections; i++) {
DWORD va = (sectionHeader + i)->VirtualAddress;
DWORD size = (sectionHeader + i)->Misc.VirtualSize;
if (dwRva >= va && dwRva <= (va + size)) {
sec = i;
//printf("在第%d个节\n", sec);
break;
}
}
if (sec<0) {
printf("内存偏移不在任何一个节\n");
return 0;
}

//2.转换
DWORD secOffset = dwRva - (sectionHeader + sec)->VirtualAddress;
DWORD foa = (sectionHeader + sec)->PointerToRawData + secOffset;

return foa;
}


//功能：打印导出表信息 Print_Export
//参数1:FileBuffer

void Print_Export(LPVOID Filebuffer)
{
//众头归位
PIMAGE_DOS_HEADER Temp_dos = (PIMAGE_DOS_HEADER)Filebuffer;
PIMAGE_NT_HEADERS Temp_nt = (PIMAGE_NT_HEADERS)((DWORD)Temp_dos + (DWORD)Temp_dos->e_lfanew);
PIMAGE_FILE_HEADER Temp_file = (PIMAGE_FILE_HEADER)((DWORD)Temp_nt + 4);
PIMAGE_OPTIONAL_HEADER Temp_option = PIMAGE_OPTIONAL_HEADER((DWORD)Temp_file + IMAGE_SIZEOF_FILE_HEADER);

//数据目录指针 Data
PIMAGE_DATA_DIRECTORY Data = Temp_option->DataDirectory;
//定位导出表FOA地址
PIMAGE_EXPORT_DIRECTORY Export_Foa = (PIMAGE_EXPORT_DIRECTORY)((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, Data[0].VirtualAddress));
//判断导出表是否找到
if (!Export_Foa) { printf("导出表FOA没有找到"); free(Filebuffer); return; }
//打印导出表信息


printf("\n=======导出表--Name:%s=======\n", (LPSTR)((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, Export_Foa->Name)));
printf("=======导出表起始序号--Base:%d=======\n", Export_Foa->Base);
printf("=======导出表--函数总数--NumberofFuction:%d=======\n", Export_Foa->NumberOfFunctions);
printf("=======导出表--名称导出的函数总数--NumberofName:%d=======\n", Export_Foa->NumberOfNames);
printf("=======导出表--函数的内存地址表地址（Rva）--AddressOfFuction:%x=======\n", Export_Foa->AddressOfFunctions);
printf("=======导出表--函数名称的内存地址表地址（Rva）--AddressOfNames:%x=======\n", Export_Foa->AddressOfNames);
printf("=======导出表--函数序号的内存地址表地址（Rva）--AddressOfNameOradinals:%x=======\n", Export_Foa->AddressOfNameOrdinals);
printf("=======================函数地址=======================\n\n");
PDWORD Foa_Address_Fuctions = (PDWORD)((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, Export_Foa->AddressOfFunctions));
for (int i = 0; i < Export_Foa->NumberOfFunctions; i++)
{
printf("第%d个函数的地址(Rva)：%x\n", i, Foa_Address_Fuctions[i]);
}
PDWORD _Fuc_NameAddress = (PDWORD)((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, Export_Foa->AddressOfNames));
printf("=======================函数名字地址和名称：=======================\n\n");
for (int i = 0; i < Export_Foa->NumberOfNames; i++)
{
printf("第%d个函数名字的地址(Rva)：%#x---函数名字：%s\n", i, _Fuc_NameAddress[i], \
(PDWORD)((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, _Fuc_NameAddress[i])));

//这里需要注意的是_Fuc_NameAddress是指向了函数名称地址表，这个表里面的地址全是Rva,所以\
还需要把_Fuc_NameAddress所指向的地址表中的地址（Rva）转为Foa才能识别出名称。同样的，如果要拿到函数地址的Foa\
也需要把_Fuc_NameAddress[i]也转为Foa。另外:NumberOfNames函数名称个数跟如何导出有关，我一共导出了四个函数\
Mul、Plus、Div、@NONAME,,这个@NONAME就是函数Sub,因为使用了def文件的@NONAME，所以有一个没名字的函数，这里就没有显示出来
}
printf("=======================函数序号地址(Rva)和序号：=======================\n\n");

PWORD Ordinal_Address = (PWORD)((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, Export_Foa->AddressOfNameOrdinals));
for (int i = 0; i < Export_Foa->NumberOfNames; i++)
{
printf("函数序号地址(Foa):%#x---序号表序号：%d--导出序号：%d\n", Ordinal_Address + i, Ordinal_Address[i], Ordinal_Address[i]+Export_Foa->Base);
}

}

//功能：根据函数名，找到这个函数的地址
//参数1：OUT FileBuffer
//参数2：需要找的函数名指针。
//返回值：函数地址（Rva）
DWORD GetFuctionAddrByName(LPVOID Filebuffer, LPSTR pFuctionName)
{
PIMAGE_DOS_HEADER Temp_dos = (PIMAGE_DOS_HEADER)Filebuffer;
PIMAGE_NT_HEADERS Temp_nt = (PIMAGE_NT_HEADERS)((DWORD)Temp_dos + Temp_dos->e_lfanew);
PIMAGE_FILE_HEADER Temp_file = (PIMAGE_FILE_HEADER)((DWORD)Temp_nt + 4);
PIMAGE_OPTIONAL_HEADER Temp_option = PIMAGE_OPTIONAL_HEADER((DWORD)Temp_file + IMAGE_SIZEOF_FILE_HEADER);

//数据目录指针 Data
PIMAGE_DATA_DIRECTORY Data = Temp_option->DataDirectory;
//定位导出表FOA地址
PIMAGE_EXPORT_DIRECTORY Export_Foa = (PIMAGE_EXPORT_DIRECTORY)\
((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, Data[0].VirtualAddress));
//判断导出表是否找到,没有找到就退出
if (!Export_Foa) { printf("导出表FOA没有找到"); free(Filebuffer); return 0; }
//遍历exe或Dll中存在的函数名字
PDWORD FuctionName = (PDWORD)((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, Export_Foa->AddressOfNames));
for (int i = 0; i < (int)Export_Foa->NumberOfNames; i++)
{
//printf("函数：%s", (LPSTR)((DWORD)Filebuffer+(DWORD)(RvaToFileOffset(Filebuffer, FuctionName[i]))));
//这里使用了STRCMP函数进行字符串比较，如果遍历的函数名称与我们提供的一模一样，\
那么久会返回函数名称和地址（Rva）
if (strcmp((char*)(PDWORD)pFuctionName, \
(char*)((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, FuctionName[i])))==0) 
{
printf("让我猜猜，你要找的这个函数的名称是：%s\n\n函数地址为(Rva)：%#x\n\n", \
(char*)((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, FuctionName[i])),FuctionName[i]);
return (DWORD)FuctionName[i];
}
}
return 0;

}

//功能：根据导出序号找到函数地址
//参数1：Filebuffer指针
//参数2：导出序号的指针
//返回值：函数地址(Rva)
DWORD GetFuctionAddrbyOrinal(LPVOID Filebuffer, int* Orinal)
{
PIMAGE_DOS_HEADER Temp_dos = (PIMAGE_DOS_HEADER)Filebuffer;
PIMAGE_NT_HEADERS Temp_nt = (PIMAGE_NT_HEADERS)((DWORD)Temp_dos + Temp_dos->e_lfanew);
PIMAGE_FILE_HEADER Temp_file = (PIMAGE_FILE_HEADER)((DWORD)Temp_nt + 4);
PIMAGE_OPTIONAL_HEADER Temp_option = PIMAGE_OPTIONAL_HEADER((DWORD)Temp_file + IMAGE_SIZEOF_FILE_HEADER);

//数据目录指针 Data
PIMAGE_DATA_DIRECTORY Data = Temp_option->DataDirectory;
//定位导出表FOA地址
PIMAGE_EXPORT_DIRECTORY Export_Foa = (PIMAGE_EXPORT_DIRECTORY)\
((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, Data[0].VirtualAddress));
//判断导出表是否找到,没有找到就退出
if (!Export_Foa) { printf("导出表FOA没有找到"); free(Filebuffer); return 0; }
//1、根据有函数名字就有函数序号的原理,遍历出序号\
2、根据函数地址序号=导出序号-Base
PWORD    Foa_Orinal = (PWORD)((DWORD)Filebuffer + RvaToFileOffset(Filebuffer, Export_Foa->AddressOfNameOrdinals));
for (int i = 0; i < Export_Foa->NumberOfNames; i++)
{
if ((int)(Foa_Orinal[i]+Export_Foa->Base) == *Orinal)
{
printf("已根据导出序号找到函数\n\nBase:%d\n\n这个函数地址的序号为：%d\n\n这个函数的导出序号为：%d\n\n这个函数的地址为(Rva)：%#x", \
Export_Foa->Base,*Orinal - (int)(Export_Foa->Base), *Orinal, &Foa_Orinal[i]);
return (DWORD)(Foa_Orinal+i);
}
}
printf("没有根据你的导出序号找到相关函数");
return 0;

}

//功能:打印重定位表
//参数：pFileBuffer指针

void Pt_Relocation(PVOID pFileBuffer)
{

}